By Pat Salem, CPA, CFE
IAG Forensics & Valuation
Technology is constantly evolving as industry experts find new and improved ways to do things. They have brought us banking by phone, transfers via texting and mobile payments with Square. Even before these technologies became globally available, we were making on-line payments using service providers such as PayPal, SecurePay and Authorize.net.
As technology evolves the question businesses need to ask is, are the internal controls evolving as well?
Take PayPal, for instance. PayPal provides individuals and businesses a quick and easy way to make and receive payments and to transfer funds. It takes only minutes to set-up a PayPal account and link this account to your bank, credit card and debit card accounts. Once you have done that, you can start transferring funds or making payments to any vendors that accept payments by PayPal. You can make payments through the Internet, with your phone or using a PayPal debit card. You can even withdraw cash from ATMs using a PayPal debit card. Just add a PayPal button to your website, and you’re ready to start receiving payments from others.
While these marvels in technology make our lives easier, they also present challenges that we must consider and address before implementing this technology. Has your business or law firm put into place the proper internal controls to help mitigate any risks associated with funds maintained in your PayPal account? Any business leader or owner should ask themselves these questions:
- Are we using PayPal accounts to receive or make payments?
- Who has access to these PayPal accounts?
- What bank, credit card or debit card accounts are tied to the PayPal accounts?
- How are PayPal transactions recorded in our accounting system?
- Is each PayPal account reconciled on a regular basis?
If you do not know the answer to these questions, your internal controls may be inadequate. To protect your organization from misuse or misappropriation of funds held in a PayPal account, you may want to consider implementing the following internal controls:
- Capture information about your PayPal account in your chart of accounts to ensure that the PayPal account is visible and receives proper attention.
- Establish and implement policies and procedures for the management, use and transfer of funds held in your PayPal account.
- Segregate duties with respect to your PayPal account.
- Reconcile PayPal accounts when you reconcile bank accounts.
If you do not put the proper internal controls in place, your organization may face problems similar to the following examples.
A North Georgia Animal Shelter
The director of a North Georgia no-kill animal shelter diverted funds from their intended purpose using them instead for personal benefit. The director set up PayPal accounts to accept donations for a Lucky Dog and Lucky Cat program that would have sponsored pets that might otherwise have been euthanized. The director, however, did not use the PayPal funds in the manner advertised. Donations totaling $10,550 were transferred from the shelter’s PayPal accounts to the director’s personal bank accounts. Several animals, for which donations had been received, were euthanized. The following timeline shows the flow of cash from two of the shelter’s PayPal accounts to one of the director’s personal bank accounts over a four-month period.
As demonstrated in the timeline, transfers from the shelter’s PayPal accounts to the director’s personal bank accounts, were frequently followed by cash withdrawals and trips to Harrah’s Cherokee Casino.
The shelter’s inadequate internal controls resulted not only in the misappropriation of shelter funds, but more tragically, in the deaths of innocent dogs and cats.
The former director of the animal shelter was charged and convicted of numerous offenses and sentenced to 10 years in prison. As of January of this year, the former director remained incarcerated.
A Not-for-Profit Organization
Over a five-and-a-half year period, the operations manager of a not-for-profit organization diverted nearly $500,000 of funds from their intended purpose to be used instead for personal benefit. The operations manager set-up a PayPal account through which individuals and other entities could make donations to further the mission of the organization. Rather than transferring these donations to the organization’s bank account, the operations manager used these funds for personal benefit, paying for clothing, entertainment, meals, personal grooming and travel. Purchases were made over the Internet at websites that accepted PayPal as a form of payment. Purchases were also made at brick and mortar establishments using a PayPal debit card or a mobile phone tied to the PayPal account. The operations manager also withdrew cash from ATMs at numerous locations within and outside of the United States.
Similar circumstances were present in each of the above cases and should be red flags for potential abuse:
- The director/manager had full control over the organization’s PayPal accounts.
- No other individual had access to these accounts.
- There was no segregation of duties.
- There were no policies in place defining the guidelines and procedures for managing PayPal accounts and the funds held in those accounts.
- The PayPal accounts were not routinely reconciled.
Don’t let your funds pay someone’s holiday – institute internal procedures to keep your funds where they should be.
Is your organization or your client’s company or non-profit adequately protected against misappropriation of funds from its PayPal accounts? If you have any questions or need assistance in a fraud matter, please call Pat Salem at 770-635-1698 or Karen Fortune at 770-635-1699.